Skip to content
TruCore logoTruCore

RFC-style Specification

Receipt Specification v1

This document defines the canonical ATF receipt contract for deterministic evaluation outputs and receipt verification workflows.

1. Status of This Document

  • Version: v1
  • Stability: Production-compatible
  • Determinism guarantee: Same input and policy context MUST produce the same decision and receipt hash.

2. Abstract

A receipt is a deterministic, tamper-evident record of a policy evaluation outcome for a financial action request.

  • This specification defines what a receipt is.
  • This specification defines what a receipt proves.
  • This specification defines what a receipt does not prove.

3. Receipt Model Overview

The canonical JSON structure below is normative for Receipt Specification v1.

canonical-json
02  "version": "v1",
03  "timestamp": "ISO-8601",
04  "request": {
05    "action": "string",
06    "token_in": "string",
07    "token_out": "string",
08    "amount": "number",
09    "max_slippage_bps": "number",
10    "ttl_seconds": "number"
11  },
12  "result": {
13    "status": "allowed | denied",
14    "reason": "string",
15    "invariant_checks": ["string"],
16    "receipt_hash": "hex-encoded SHA-256"
17  }

4. Deterministic Evaluation Contract

  • Implementations MUST produce deterministic outputs for equivalent normalized inputs.
  • Implementations MUST NOT introduce randomness into receipt-relevant output fields.
  • Implementations MUST NOT mutate receipt-relevant fields based on wall-clock timing.
  • Equivalent input MUST produce equivalent decision and equivalent receipt hash.

5. Receipt Hash Definition

  • The receipt hash MUST be SHA-256 over canonical serialized JSON receipt data.
  • The receipt hash MUST be hex-encoded, 64 characters, and lowercase.
  • Any mutation of canonical receipt data MUST change the receipt hash, providing tamper evidence.

6. Versioning Rules

  • The receipt version field is REQUIRED for explicit v1 receipts.
  • Missing version MUST be treated as legacy v1 for backward compatibility.
  • Unknown version MUST return supported_version=false in verification responses.
  • Supported versions for this deployment: v1.

7. Signature Layer (Optional Extension)

  • Ed25519 signatures MAY be produced over the receipt hash.
  • Signature encoding SHOULD be base64 for transport interoperability.
  • Signatures are outside the core receipt object in this version contract.

8. Anchoring Layer (Future Extension)

  • Receipt hash anchoring to external systems MAY be implemented as an out-of-band proof.
  • Anchoring MUST NOT modify the core receipt structure defined in this document.

9. Security Considerations

  • Deterministic hashing provides reproducible integrity checks.
  • Receipt hashes provide tamper evidence for stored and transmitted receipt payloads.
  • The ATF receipt system does not custody funds.
  • The ATF receipt system does not sign transactions for execution.

10. Related Links